Headline
CVE-2023-41011: Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4
Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the shortcut_telnet.cg component.
Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4 Device default information: Equipment model: HG6543C4 Default wireless network name: CMCC-hXtx Default wireless network password: f6qgriu4 Default terminal configuration address: 192.168.1.1 Default terminal configuration account: dr7u2tvn Command execution POC: http://192.168.1.1/cgi-bin/shortcut_telnet.cgi?whoami
Shortcut_ Telnet.cgi file code:
Shortcut_ The purpose of the telnet.cgi file is to enable and disable the telnet service. This code is a shell script used to execute telnet commands on a web page and display the results. Its general logic is as follows: Firstly, it outputs a text type HTTP header. Then, it defines two file name variables, each used to store commands and results. Next, it calls the…/cgi bin/urldecode. cgi script to decode the commands in the query string and assign them to the CMD variable. If the command is top, then adding the - n 1 parameter indicates that it will only be displayed once. Then, it creates a temporary shell script file, writes the values of CMD variables to it, and grants executable permissions. Next, it executes this temporary shell script and redirects the output to the result file. Then, it reads each line in the result file and concatenates it into a string, separated by
. Next, it deletes the temporary shell script and result files. Finally, it outputs the concatenated string.
中国移动智能家庭网关HG6543C4存在命令执行漏洞 设备默认信息: 设备型号:HG6543C4 默认无线网络名称:CMCC-hXtx 默认无线网络密码:f6qgriu4 默认终端配置地址:192.168.1.1 默认终端配置账号:dr7u2tvn
命令执行POC:http://192.168.1.1/cgi-bin/shortcut_telnet.cgi?whoami shortcut_telnet.cgi文件代码:
shortcut_telnet.cgi文件的目的是开启会关闭telnet服务,这段代码是一个shell脚本,用于在web页面上执行telnet命令并显示结果。它的大致逻辑如下:
首先,它输出一个文本类型的http头部。 然后,它定义了两个文件名变量,分别用于存储命令和结果。 接着,它调用…/cgi-bin/urldecode.cgi脚本来解码查询字符串中的命令,并赋给CMD变量。如果命令是top,那么它加上-n 1参数,表示只显示一次。 然后,它创建一个临时的shell脚本文件,将CMD变量的值写入其中,并赋予可执行权限。 接着,它执行这个临时的shell脚本,并将输出重定向到结果文件中。 然后,它读取结果文件中的每一行,并将其拼接成一个字符串,每行之间用
分隔。 接着,它删除临时的shell脚本和结果文件。 最后,它输出拼接好的字符串。